Method And Device For Securing Block Ciphers Against Template Attacks

ABSTRACT

A method for securing a block cipher F, encrypted with a working key K 0 , against template attacks is provided. A working permutation F(K 0 ) fixed by the block cipher F and the working key K 0 , and a number N of dummy permutations G(K 1 ), . . . , G(K n ) are provided. The N dummy permutations G(K 1 ), . . . , G(K n ) are fixed by N dummy keys K 1 , . . . , K n  and the block cipher F or the inverse F −1  of the block cipher F. The working permutation F(K 0 ) and the N dummy permutations G(K 1 ), . . . , (G(K n ) are chained to form a chain H in such a way that the chain H and the working permutation F(K 0 ) produce an identical image (H=F(K 0 )). A block cipher F, in which a fixed key K 0  is used, is protected against template attacks as a result. A computer program product and a device for securing a block cipher F against template attacks are also proposed.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to DE Patent Application No. 10 2011088 502.1 filed Dec. 14, 2011. The contents of which is incorporatedherein by reference in its entirety.

TECHNICAL FIELD

The present disclosure relates to the securing of block ciphers againsttemplate attacks.

BACKGROUND

A block cipher is a symmetrical encryption method in which the plaintext to be encrypted is broken down into a sequence of blocks having thesame length, by way of example the length 64 bits or 128 bits. Eachblock of plaintext is mapped onto a cipher block of the same length.Typical examples of block ciphers are the DES algorithm (DES, DataEncryption Standard) having a block width of 64 bits and the AESalgorithm (AES, Advanced Encryption Standard) having a block width of128 bits. Block ciphers are conventionally used if a large volume ofdata is to be encrypted.

Implementations of block ciphers are typically sometimes attacked usingtemplate attacks.

Template attacks belong to the category of side channel attacks. Theseare attacks against specific implementations of cryptographic methodswhich utilize physical side effects of the cryptographic sequences.Examples of such physical side effects are the required computing time,the resulting current profile and the electromagnetic radiation. Thetemplate attacks are not attacks against the cryptographic method perse, however.

In the case of a template attack it is assumed that the attacker hasfull access to a training implementation of the cryptographic methodwhich is identical in terms of model in hard- and software to the actualtarget implementation which is to be attacked. Only the key or keys ofthe cryptographic method, whose implementation is to be attacked, arenot available on the training implementation. A commonality of alltemplate attacks lies in recording the characteristic of the currentconsumption curve for a number of input data from plain-texts andself-selected keys and then developing a model which optimally describesthe dependency of the current consumption on the input data. This can becalled a learning phase.

After this learning phase with the training implementation the currentprofile of the actual target platform, which depends on an unknownsecret key, is then recorded in a subsequent measuring phase. With theaid of the model, created previously, about the connection between inputdata and current profile, an attempt is then made to determine the apriori unknown key. This ideally occurs using a single measurement.

It is obvious that the special situation, which forms the basis of theattack scenario of a template attack, does not always exist. Thusplatforms with changeable keys may be prevented from coming intocirculation at all by way of logistic means for instance. Furthermore,the key memories of a potential training platform may be electronicallylocked, so that it is virtually impossible to record the requiredmeasurement data with self-selected input data at all.

If, however, there is the possibility of a template attack, templateattacks are actually the most powerful side channel attacks.

The conventional technical countermeasures against template attacks arefirstly the same ones as may also be used against DPA attacks (DPA,Differential Power Analysis). By way of example, the individualdependency of the current consumption on the input data can be reducedby way of electrical smoothing of the implementation, for example bydual-rail logic. Furthermore, the cryptographic algorithm can berandomized in its sequence, by way of example by using random masks orby introducing what are known as “Random Wait States” into the processsequence. Furthermore, the keys used can be changed sufficientlyfrequently.

However, there are implementation situations in which a key change innot possible owing to external specifications, for example owing tostandards.

SUMMARY

In one embodiment, a method for securing a block cipher (F), encryptedwith a working key (K₀), against template attacks comprises: (a)providing a working permutation (F(K₀)) fixed by the block cipher (F)and the working key (K₀), (b) providing a number N of dummy permutations(G(K₁), . . . , (G(K_(n))) that are fixed by N dummy keys (K₁, . . . ,K_(n)) and the block cipher (F) or an inverse (F⁻¹) of the block cipher(F), and (c) chaining the working permutation (F(K₀) and the dummypermutations (G(K₁), . . . , (G(K_(n))) to form a chain such that thechain and the working permutation (F(K₀)) produce an identical image.

In a further embodiment, the number N of dummy permutations (G(K₁), . .. , (G(K_(n))) is provided such that each chain of N dummy permutations(G(K₁), . . . , G(K_(n))) produces a pre-image set of the block cipher(F).

In a further embodiment, the chain of N dummy permutations is achievedby a first model having (g₁ o g₁ ⁻¹) o (g₂ o g₂ ⁻¹) o . . . o (g_(n) og_(n) ⁻¹), where g_(i)=G(K_(i)), wherein G designates the block cipher(F) or the inverse (F⁻¹) of the block cipher, and wherein K_(i), whereiε[1, . . . , n], designates the N dummy keys (K₁, . . . , K_(n)).

In a further embodiment, the chain of N dummy permutations is achievedby a second model having (g₁ o g₂ o . . . . o g_(n)) o (g_(n) ⁻¹ o . . .o g₂ ⁻¹ o g₁ ⁻¹), where g_(i)=G(K_(i)), wherein G designates the blockcipher (F) or the inverse (F⁻¹) of the block cipher, and wherein K_(i),where ε[1, n], designates the N dummy keys (K₁, . . . , K_(n)).

In a further embodiment, the chain of N dummy permutations is achievedby a third model having (g₁ o g₂ o g₃ ⁻¹) o (g₃ o g₂ ⁻¹ o g₁ ⁻¹) o (g₄ og₅ o g₆ ⁻¹) o (g₆ o g₅ ⁻¹ o g₄ ⁻¹) o . . . , where g_(i)=G (K_(i)),wherein G designates the block cipher (F) or the inverse (F⁻¹) of theblock cipher, and wherein K_(i), where iε[1, . . . , n], designates theN dummy keys (K₁, . . . , K_(n)).

In a further embodiment, an implementation of a triple DES encryption issecured using the third model.

In a further embodiment, the N dummy keys (K₁, . . . , K_(n) arepermutated before each application of steps a) to c).

In a further embodiment, the N dummy keys (K₁, . . . , K_(n)) arere-formed before each application of steps a) to c).

In a further embodiment, the working key (K₀) is permanently allocatedto the block cipher (F).

In a further embodiment, a computer program product is provided forsecuring a block cipher (F), encrypted with a working key (K₀), againsttemplate attacks, the computer program product being embodied innon-transitory computer readable media and executable by a processor to:provide a working permutation (F(K₀)) fixed by the block cipher (F) andthe working key (K₀), provide a number N of dummy permutations (G(K₁), .. . , (G (K_(n))) that are fixed by N dummy keys (K₁, . . . , K_(n)) andthe block cipher (F) or an inverse (F⁻¹) of the block cipher (F), andchain the working permutation (F(K₀)) and the dummy permutations (G(K₁),. . . , (G(K_(n))) to form a chain such that the chain and the workingpermutation (F(K₀)) produce an identical image.

In another embodiment, a device is provided for securing a block cipher(F), encrypted with a working key (K₀), against template attacks, thedevice comprising: a first means for providing a working permutation(F(K₀)) fixed by the block cipher (F) and the working key (K₀), a secondmeans for providing a number N of dummy permutations (G(K₁), . . . ,G(K_(n))), which are fixed by N dummy keys (K₁, . . . , K_(n) and theblock cipher (F) or the inverse (F⁻¹) of the block cipher (F), and athird means for chaining the working permutation (F(K₀)) and the dummypermutations (G(K₁), . . . , G(K_(n))) to form a chain (H) in such a waythat the chain (H) and the working permutation (F(K₀)) produce anidentical image. In another embodiment, a processor includes such adevice.

BRIEF DESCRIPTION OF THE DRAWINGS

Example embodiments will be explained in more detail below withreference to figures, in which:

FIG. 1 shows a flowchart of an exemplary embodiment of a method forsecuring a block cipher against template attacks;

FIG. 2 shows a block diagram of an exemplary embodiment of a device forsecuring a block cipher against template attacks;

FIG. 3 shows a block diagram of an exemplary embodiment of a processorhaving a device according to FIG. 2; and

FIG. 4 shows a block diagram of a further exemplary embodiment of adevice for securing a block cipher against template attacks.

DETAILED DESCRIPTION

Embodiment of the present disclosure are configured to protect a blockcipher, in which a fixed key is used, against template attacks.

For example, a method for securing a block cipher F, encrypted with aworking key K₀, against template attacks is proposed. A workingpermutation F(K₀) fixed by the block cipher F and the working key K₀,and a number N of dummy permutations G(K₁), . . . , G(K_(n)) areprovided. The N dummy permutations G(K₁), . . . , G(K_(n)) are fixed byN dummy keys K₁, . . . , K_(n) and the block cipher F or the inverse F⁻¹of the block cipher F. The working permutation F(K₀) and the N dummypermutations G(K₁), . . . , (G(K_(n)) are chained to form a chain H insuch a way that the chain H and the working permutation F(K₀) produce anidentical image (H=F(K₀)).

The permutation F(K₀) fixed by the block cipher F and the keys K₀ isthen chained to form a product H=G(K₁) o G(K₂) o . . . o G(K_(m)) oF(K₀) o G (_(Km+1)) o G (_(Km+2)) o . . . o G(K_(n)) of permutations insuch a way that H=F(K₀) always applies. The working permutation F(K₀)can be advantageously hidden in the chain H thereby, so the probabilityof a successful template attack is reduced.

The keys K₁, . . . , K_(m) and K_(m+1), . . . , K_(n) used may bere-formed or at least permutated before each application of F. The blockcipher G is chosen as G=F or G=F⁻¹ in this connection.

Use is made of the fact that the pre-image set M of a block cipher isidentical to the image set and that the block cipher achieves apermutation to M following selection of a key. The totality ofpermutations of a set M forms a group with respect to the chain “o” ofimages. The permutations of M can therefore be chained to each other asdesired. The result of the chain is always a permutation of M again. Iff₁ and f₂ are two random permutations of M, the effect of the chainedpermutation f₁ o f₂ is defined by f₁ o f₂(m)=f₁(f₂(m)), if m designatesa random element of M. The image of m under the permutation f₂ istherefore the pre-image for the permutation f₁.

In one embodiment the number N of dummy permutations G(K₁), . . . ,G(K_(n)) is provided in such a way that a chain of N dummy permutationsG(K₁), . . . , G(K_(n)) produces a pre-image set M of the block cipherF.

The permutations G(K₁), . . . , G(K_(n)) are in particular chosen suchthat G(K₁) o G(K₂) o . . . o G(K_(n)) is the identical image id_(M) onM. The permutations G(K_(m+1)), . . . , G(K_(n)) are accordingly alsoselected such that G(K_(m+1)) o G(K_(m+2) ) o . . . o G(K_(n))=id_(M)applies.

Overall the following applies therefore H=G(K₁) o G(K₂) o . . . oG(K_(m)) o F(K₀) o G(K_(m+1)) o G(K_(m+2)) o . . . o G(K_(n))=(G(K₁) oG(K₂) o . . . o G(K_(m))) o F(K₀) o (G(_(Km+1)) o G(K_(m+2)) o . . . oG(K_(n)))=id_(M) o F(K₀) o id_(M)=F(K₀).

G(K₁) o G(K₂) o . . . o G(K_(m)) and G(K_(m+1)) o G(K₂) o . . . oG(K_(n)) thereby achieve redundant representations of the identicalimage id_(M).

The following methods show how these redundant representations of theidentical image may be easily obtained. g_(i):=G(K_(i)) is used tosimplify notation.

Method 1: id=G(K₁) o G(K₂) o . . . o G(K_(m)) is from the model (g₁ o g₁⁻¹) o (g₂ o g₂ ⁻¹) o . . . o (g_(m) o g_(m) ⁻¹)

Method 2: id=G(K₁) o G(K₂) o . . . o G(K_(m)) is from the model (g₁ o g₂o . . . o g_(m)) o (g_(m) ⁻¹ o . . . o g₂ ⁻¹ o g₁ ⁻¹)

Method 3: id=G(K₁) o G(K₂) o . . . o G(K_(m)) is from the model (g₁ o g₂o g₃ ⁻¹) o (g₃ o g₂ ⁻¹ o g₁ ⁻¹) o (g₄ o g₅ o g₆ ⁻¹) o (g₆ o g₅ ⁻¹ o g₄⁻¹) o . . .

Furthermore, random mixed forms of the three said methods are possible.The described procedure is also valid for the permutation G(K_(m+1)) oG(K₂) o . . . o G(K_(n)).

Method 3 is particularly suitable if implementations of the triple DESalgorithm are to be secured.

According to the certain embodiment the possibility, which basicallyalways exists, of iterating block ciphers may be used to secure animplementation of a block cipher against template attacks.

The iteration of block ciphers would conventionally only be used toincrease the key space of an algorithm. A known example of this approachis the triple DES, which—in the above notation—causes a permutation ofthe model g₁ o g₂ o g₃ ⁻¹ after three keys have been chosen.

Block ciphers are typically constructed in such a way that a roundingfunction is iterated several times. In each round a new partial key isused which is derived from the chosen key in accordance with a specifiedpattern, which is known as Key Scheduling. As a rule, the permutationf—i.e. f=F(K)—, formed by a block cipher F following selection of a keyK, differs from the associated inverse permutation f⁻¹ only by adifferent Key Scheduling. f⁻¹ can consequently also be achieved by theblock cipher F.

This results in a method for securing block ciphers, which are operatedwith a fixed key, against template attacks which is very easy toimplement. The actual implementation of the block cipher can beunchanged, only the loop counter, which controls the number ofiterations—the rounding function—, is increased.

Key Scheduling is modified such that it achieves a sequence ofpermutations as described above, see method 1 to method 3.

In a further embodiment the chain of N dummy permutations G(K₁), . . . ,G(K_(n)) is achieved by a first model having (g₁ o g₁ ⁻¹) o (g₂ o g₂ ⁻¹)o . . . o (g_(n) o g_(n) ⁻¹), where g_(i)=G(K_(i)), wherein G designatesthe block cipher F or the inverse F⁻¹ of the block cipher F and whereinK_(i), where iε[1, . . . , n], designates the N dummy keys K₁, . . . ,K_(n).

In a further embodiment the chain of N dummy permutations G(K₁), . . . ,G(K_(n)) is achieved by a second model having (g₁ o g₂ o . . . o g_(n))o (g_(n) ⁻¹ o . . . o g₂ ⁻¹ o g₁ ⁻¹), where g_(i)=G(K_(i)), wherein Gdesignates the block cipher F or the inverse F⁻¹ of the block cipher Fand wherein K_(i), where iε[1, . . . , n], designates the N dummy keysK₁, . . . , K_(n).

In a further embodiment the chain of N dummy permutations is achieved bya third model having (g₁ o g₂ o g₃ ⁻¹) o (g₃ o g₂ ⁻¹ o g₁ ⁻¹) o (g₄ o g₅o g₆ ⁻¹) o (g₆ o g₅ ⁻¹ o g₄ ⁻¹) o . . . , where g_(i)=G(K_(i)), whereinG designates the block cipher F or the inverse F⁻¹ of the block cipher Fand wherein K_(i), where iε[1, . . . , n], designates the N dummy keysK₁, . . . , K_(n).

In a further embodiment an implementation of a triple DES encryption issecured using the third model.

In a further embodiment the N dummy keys K₁, . . . , K_(n) arepermutated before each application of securing.

In a further embodiment the N dummy keys K₁, . . . , K_(n) are re-formedbefore each application of securing.

In a further embodiment the working key K₀ is permanently allocated tothe block cipher F.

A computer program product is also proposed which causes a method, asdescribed above, for securing a block cipher F, encrypted with a workingkey K₀, against template attacks to be carried out on aprogram-controlled device.

A computer program product such as a computer program means can beprovided or supplied by way of example as a storage medium, such asmemory card, USB stick, CD-ROM, DVD or in the form of a file which canbe downloaded from a server in a network. This can occur for example ina wireless communications network by the transmission of a correspondingfile with the computer program product or computer program means.

A device for securing a block cipher F, encrypted or working with aworking key K₀, against template attacks is also proposed whichcomprises a first means, a second means and a third means. The firstmeans is set up to provide a working permutation F(K₀) fixed by theblock cipher F and the working key K₀. The second means is set up toprovide a number N of dummy permutations G(K₁), . . . , G(K_(n)). The Ndummy permutations G(K₁), . . . , G(K_(n)) are fixed by N dummy keys K₁,. . . , K_(n) and the block cipher F or the inverse F⁻¹ of the blockcipher F. The third means is set up to chain the working permutationF(K₀) and the N dummy permutations G(K₁), . . . , G(K_(n)) to form achain H in such a way that the chain H and the working permutation F(K₀)produce an identical image (H=F(K₀)).

The respective means can be implemented in terms of hardware or softwaretechnology. With a hardware implementation the respective means can beconstructed as a device or as part of a device, for example as acomputer or microprocessor. With a software implementation therespective means can be constructed as a computer program product, afunction, a routine, as part of a program code or as an executableobject.

A processor having a device as described above for securing a blockcipher F, encrypted with a working key K₀, against template attacks isalso proposed. The device is implemented by way of example as part ofthe CPU (CPU, Control Processing Unit) of the processor.

FIG. 1 shows a flowchart of an exemplary embodiment of a method forsecuring a block cipher F, encrypted with a working key K₀, againsttemplate attacks.

A working permutation F(K₀) fixed by the block cipher F and the workingkey K₀ is provided in step 101. The working key K₀ is in particularpermanently allocated to the block cipher F.

In step 102 a number N of dummy permutations G(K₁), . . . , G(K_(n)) isprovided. The N dummy permutations G(K₁), . . . , G(K_(n)) are fixed byN dummy keys K₁, . . . , K_(n) and the block cipher F or the inverse F⁻¹of the block cipher F.

In step 103 the working permutation F(K₀) and the N dummy permutationsG(K₁), . . . , G(K_(n)) are chained to form a chain H in such a way thatthe chain H and the working permutation F(K₀) produce an identical image(H=F(K₀)).

The N dummy keys K₁, . . . , K_(n) may be permutated or re-formed beforeeach application of steps 101 to 103.

Steps 101 to 103 are implemented by a computer program product by way ofexample, which causes steps 101 to 103 to be carried out on aprogram-controlled device, by way of example on a processor.

FIG. 2 shows a block diagram of an exemplary embodiment of a device 200for securing a block cipher F, encrypted with a working key K₀, againsttemplate attacks.

The device 200 has a first means 201, a second means 202 and a thirdmeans 203. The first means 201 is set up to provide a workingpermutation F(K₀) fixed by the block cipher F and the working key K₀.The second means 202 is set up to provide a number N of dummypermutations G(K₁), . . . , G(K_(n)). The N dummy permutations G(K₁), .. . , G(K_(n)) are fixed by N dummy keys K₁, . . . , K_(n) and the blockcipher F or the inverse F⁻¹ of the block cipher F. The third means 203is set up to chain the working permutation F(K₀) and the N dummypermutations G(K₁), . . . , G(K_(n)) to form a chain H in such a waythat the chain H and the working permutation F(K₀) produce an identicalimage (H=F(K₀)).

FIG. 3 shows a block diagram of an exemplary embodiment of a processor300 having a device 200 according to FIG. 2. The device 200 isimplemented by way of example as part of the CPU 301 of the processor300, which is coupled to a memory 302. The working key K₀ and the dummykeys K₁, . . . , K_(n) in particular can be stored in the memory 302.

FIG. 4 shows a block diagram of a further exemplary embodiment of adevice 400 for securing a block cipher against template attacks.

The device 400 in FIG. 4 has a key store 401 for storing the keys K1, .. . , K_(n), an input 402 for an application means 403, the applicationmeans 403 and an output 404 of the application means 403. The output 404is fed back to the input 402.

The application means 403 integrates the functions of the first means201, the second means 202 and the third means 203 in FIG. 2 inparticular.

The key store 401 provides the keys K1, . . . , K_(n) in the desiredsequence. Encryption begins in that the input 402 provides theapplication means 403 with the plaintext m and the application means 403executes the algorithm G with the first key K1. The plaintext m isencrypted to give G(K₁) (m). This first cipher text G(K₁) (m) is fedback from the output 404 into the input 402 and therewith into theapplication means 403. Encryption is then performed with the key K₂ togive G(K₂) (G) (K₁) (m). Encryption is carried out accordingly until thelast key K_(n) has been used.

Although the invention has been illustrated and described in more detailby exemplary embodiments, it is not limited by the disclosed examplesand other variations can be derived here-from by the person skilled inthe art without departing from the scope of the invention.

What is claimed is:
 1. A method for securing a block cipher (F),encrypted with a working key (K₀), against template attacks, the methodcomprising: a) providing a working permutation (F(K₀)) fixed by theblock cipher (F) and the working key (K₀), b) providing a number N ofdummy permutations (G(K₁), . . . , (G(K_(n))) that are fixed by N dummykeys (K₁, . . . , K_(n)) and the block cipher (F) or an inverse (F⁻¹) ofthe block cipher (F), and c) chaining the working permutation (F(K₀))and the dummy permutations (G(K₁), . . . , (G(K_(n))) to form a chainsuch that the chain and the working permutation (F(K₀)) produce anidentical image.
 2. The method of claim 1, wherein the number N of dummypermutations (G(K₁), . . . , (G(K_(n))) is provided such that each chainof N dummy permutations (G(K₁), . . . , G(K_(n))) produces a pre-imageset of the block cipher (F).
 3. The method of claim 2, wherein the chainof N dummy permutations is achieved by a first model having (g₁ o g₁ ⁻¹)o (g₂ o g₂ ⁻¹) o . . . o (g_(n) o g_(n) ⁻¹), where g_(i)=G(K_(i)),wherein G designates the block cipher (F) or the inverse (F⁻¹) of theblock cipher, and wherein K_(i), where iε[1, . . . , n], designates theN dummy keys (K₁, . . . , K_(n)).
 4. The method of claim 2, wherein thechain of N dummy permutations is achieved by a second model having (g₁ og₂ o . . . o g_(n)) o (g_(n) ⁻¹ o . . . o g₂ ⁻¹ o g₁ ⁻¹), whereg_(i)=G(K_(i)), wherein G designates the block cipher (F) or the inverse(F⁻¹) of the block cipher, and wherein K_(i), where iε[1, . . . , n],designates the N dummy keys (K₁, . . . , K_(n)).
 5. The method of claim2, wherein the chain of N dummy permutations is achieved by a thirdmodel having (g₁ o g₂ o g₃ ⁻¹) o (g₃ o g₂ ⁻¹ o g₁ ⁻) o (g₄ o g₅ o g₆ ⁻¹)o (g₆ o g₅ ⁻¹ o g₄ ⁻¹) o . . . , where g_(i)=G(K_(i)), wherein Gdesignates the block cipher (F) or the inverse (F⁻¹) of the blockcipher, and wherein K_(i), where i ε[1, . . . , n], designates the Ndummy keys (K₁, . . . , K_(n)).
 6. The method of claim 5, wherein animplementation of a triple DES encryption is secured using the thirdmodel.
 7. The method of claim 1, wherein the N dummy keys (K₁, . . . ,K_(n)) are permutated before each application of steps a) to c).
 8. Themethod of claim 1, wherein the N dummy keys (K₁, . . . , K_(n)) arere-formed before each application of steps a) to c).
 9. The method ofclaim 1, wherein the working key (K₀) is permanently allocated to theblock cipher (F).
 10. A computer program product for securing a blockcipher (F), encrypted with a working key (K₀), against template attacks,the computer program product being embodied in non-transitory computerreadable media and executable by a processor to: provide a workingpermutation (F(K₀)) fixed by the block cipher (F) and the working key(Kd₀), provide a number N of dummy permutations (G(K₁), . . . ,(G(K_(n))) that are fixed by N dummy keys (K₁, . . . , K_(n)) and theblock cipher (F) or an inverse (F⁻¹) of the block cipher (F), and chainthe working permutation (F(K₀)) and the dummy permutations (G(K₁), . . ., (G(K_(n))) to form a chain such that the chain and the workingpermutation (F(K₀)) produce an identical image.
 11. The computer programproduct of claim 10, wherein the number N of dummy permutations (G(K₁),. . . , (G (K_(n))) is provided such that each chain of N dummypermutations (G(K₁), . . . , G(K_(n))) produces a pre-image set of theblock cipher (F).
 12. The computer program product of claim 11, whereinthe chain of N dummy permutations is achieved by a first model having(g₁ o g₁ ⁻¹) o (g₂ o g₂ ⁻¹) o . . . o (g_(n) o g_(n) ⁻¹), whereg_(i)=G(K_(i)), wherein G designates the block cipher (F) or the inverse(F⁻¹) of the block cipher, and wherein K_(i), where iε[1, . . . , n],designates the N dummy keys (K₁, . . . , K_(n)).
 13. The computerprogram product of claim 11, wherein the chain of N dummy permutationsis achieved by a second model having (g₁ o g₂ o . . . o g_(n)) o (g_(n)⁻¹ o . . . o g₂ ⁻¹ o g₁ ⁻¹), where g_(i)=G(K_(i)), wherein G designatesthe block cipher (F) or the inverse (F⁻¹) of the block cipher, andwherein K_(i), where iε[1, . . . , n], designates the N dummy keys (K₁,. . . , K_(n)).
 14. The computer program product of claim 11, whereinthe chain of N dummy permutations is achieved by a third model having(g₂ o g₂ o g₃ ⁻¹) o (g₃ o g₂ ⁻¹ o g₁ ⁻¹) o (g₄ o g₅ o g₆ ⁻¹) o (g₆ o g₅⁻¹ o g₄ ⁻¹) o . . . , where g_(i)=G(K_(i)), wherein G designates theblock cipher (F) or the inverse (F⁻¹) of the block cipher, and whereinK_(i), where iε[1, n], designates the N dummy keys (K₁, . . . , K_(n)).15. The computer program product of claim 14, wherein an implementationof a triple DES encryption is secured using the third model.
 16. Thecomputer program product of claim 10, wherein the N dummy keys (K₁, . .. , K_(n)) are permutated before each application of steps a) to c). 17.The computer program product of claim 10, wherein the N dummy keys (K₁,. . . , K_(n)) are re-formed before each application of steps a) to c).18. The computer program product of claim 10, wherein the working key(K₀) is permanently allocated to the block cipher (F).